Apple OS X 10.4.7 .gif "gifCopyIndexToIndex ()" Integer Overflow


Apple OS X 10.4.7 .gif "gifCopyIndexToIndex ()" Integer Overflow

Release Date:
August 1st, 2006

Severity:
High

Vendor:
Apple

Versions Affected:
Apple OS X 10.4.7 and prior


Overview:
An integer overflow vulnerability exists when processing .gif files which causes the application to crash, and or may allow for an attacker to execute arbitrary code on the targted host.


Technical Details:
When decompressing a specially crafted .gif file, the gifCopyIndexToIndex () function incorrectly parses the malformed data and causes the application to segmentation fault which may allow for an attacker to execute arbitrary code.


Below the crash is triggered on OS X (PPC) 10.4.7 using Preview within gdb:


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x017fffff
(gdb) bt
#0 0xffff8c58 in ___memcpy ()
#1 0x91a1dd30 in gifCopyIndexToIndex ()
#2 0x919faaf0 in gifGetBandProc ()
#3 0x919f6e44 in getBytePtr_cb ()
#4 0x903cdb68 in CGAccessSessionGetBytePointer ()
#5 0x903dcc44 in CGAccessSessionGetChunks ()
#6 0x903dc948 in img_raw_read ()
#7 0x903dc7b8 in img_colormatch_read ()
#8 0x903db59c in img_data_lock ()
#9 0x903d9e38 in CGSImageDataLockWithReference ()
#10 0x9474e538 in ripc_AcquireImage ()
#11 0x9474ccd0 in ripc_DrawImage ()
#12 0x903d9bc8 in CGContextDelegateDrawImage ()
#13 0x903d9b30 in CGContextDrawImage ()


Vendor Status:
05/16/2006 - Vendor is notified.
06/05/2006 - Vendor acknowlegdes the flaw.
08/01/2006 - Advisory released.


Solution:
Security Update 2006-004 fixes this issue.


Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://www.security-protocols.com/poc/sp-x33.gif
http://www.apple.com/macosx/

Copyright (c) 2006 Security-Protocols LLC